Security Audit

adinvadim/2captcha-cli:root

github.com/adinvadim/2captcha-cli

AI SkillCommit e6fc14e819f8

CAUTION

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

adinvadim/2captcha-cli:root received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Unverified remote script execution during installation.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 2, 2026 (commit e6fc14e8). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Security Findings1

Severity	Finding	Layer	Location
CRITICAL	Unverified remote script execution during installation The skill's installation instructions download and execute a script (`solve-captcha`) directly from a remote GitHub URL (`https://raw.githubusercontent.com/adinvadim/2captcha-cli/main/solve-captcha`) without any integrity verification (e.g., checksum, signature). This poses a critical supply chain risk, as a compromise of the remote repository or the content delivery network could lead to arbitrary code execution on the user's system when the skill is installed. The downloaded script is then made executable and placed in a common system PATH location (`/usr/local/bin`). To mitigate this critical supply chain risk, consider the following: 1. Provide a checksum: If direct download is necessary, provide a cryptographic hash (e.g., SHA256) of the script that users can verify after download and before execution. 2. Pin to a specific version/commit: Instead of downloading from the `main` branch, link to a specific commit hash or release tag to ensure immutability of the script. 3. Recommend a package manager: Distribute the tool via a trusted package manager (e.g., Homebrew, apt, yum, pip) that handles integrity checks and versioning. 4. Review the `solve-captcha` script: Ensure the script itself follows security best practices and does not contain vulnerabilities or excessive permissions.	LLM	SKILL.md:9

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/fa0f824d36f83522.svg)](https://skillshield.io/report/fa0f824d36f83522)